Category Archives: Training

I’m glad to announce that I’m offering full scholarships for my online training courses to individuals employed by non-profit human services organizations. These are given out based on availability, and each application is evaluated individually by me. This covers the courses listed on my training page, and is my way of serving those who are helping others.

When I first started out, learning how to investigate threats was challenging because there was no formal training available. Even in modern SOCs today, most training is centered around specific tools and centers too much around on the job training. There has never been a course dedicated exclusively to the fundamental art and science of the investigation process…until now.

If you’re a security analyst responsible for investigating alerts, performing forensics, or responding to incidents then this is the course that will help you gain a deep understanding how to most effectively catch bad guys and kick them out of your network. Investigation Theoryis designed to help you overcome the challenges commonly associated finding and catching bad guys.

I’ve got so many alerts to investigate and I’m not sure how to get through them quickly.

I keep getting overwhelmed by the amount of information I have to work with an investigation.

Some people just seem to “get” security, but it just doesn’t seem to click for me.

Course Format

Investigation Theory is not like any online security training you’ve taken. It is modeled like a college course and consists of two parts: lecture and lab. The course is delivered on-demand so you can proceed through it at your convenience. However, it’s recommended that you take a standard 10-week completion path, or an accelerated 5-week path. Either way, there are ten modules in total, and each module typically consists of the following components:

1 Core Lecture: Theory and strategy is discussed in a series of video lectures. Each lecture builds on the previous one.

1 Bonus Lecture: Standalone content to address specific topics is provided in every other module.

1 Reading Recommendation: While not meant to be read on pace with the course, I’ve provided a curated reading list along with critical questions to consider to help develop your analyst mindset.

1 Quiz: The quiz isn’t meant to test your knowledge, but rather, to give you an opportunity to apply it to reinforce learning through critical thinking and knowledge retrieval.

1 Lab Exercise: The Investigation Ninja system is used to provide labs that simulate real investigations for you to practice your skills.

Investigation Ninja Lab Environment

This course utilizes the Investigation Ninja web application to simulate real investigation scenarios. By taking a vendor agnostic approach, Investigation Ninja provides real world inputs and allows you to query various data sources to uncover evil and decide if an incident has occurred, and what happened. You’ll look through real data and solve unique challenges that will test your newly learned investigation skills. A custom set of labs have been developed specifically for this course. No matter what toolset you work with in your SOC, Investigation Ninja will prepare you to excel in investigations using a data-driven approach.

This slideshow requires JavaScript.

Get stuck in a lab? I’m just an e-mail away and can help point you in the right direction. Enjoy the labs and want to go farther? You can purchase additional access to more labs, including our upcoming “Story Mode” where you create a character and progress through eight levels of investigation scenarios while trying to attain the rank of Investigation Ninja!

Instructor Q&A

This isn’t a typical online course where we just give you a bunch of videos and you’re own your own. The results of your progress, quizzes, and labs are reviewed by me and I provide real time feedback as you progress. I’m available as a resource to answer questions throughout the course.

Syllabus

Metacognition: How to Approach an Investigation

Evidence: Planning Visibility with a Compromise in Mind

Investigation Playbooks: How to Analyze IPs, Domains, and Files

Open Source Intel: Understanding the Unknown

Mise en Place: Mastering Your Environment with Any Toolset

The Timeline: Tracking the Investigation Process

The Curious Hunter: Finding Investigation Leads without Alerts

Your Own Worst Enemy: Recognizing and Limiting Bias

Reporting: Effective Communication of Breaches and False Alarms

Case Studies in Thinking Like an Analyst

Plus, several bonus lectures!

Cost

The course and lab access are $597 for a single user license. Discounts are available for multiple user licenses where at least 10 seats are purchased (please contact me to discuss payment). A significant portion of the purchase price will go to support multiple charities including the Rural Technology Fund, the Against Malaria Foundation, and others.

You’ll receive:

6-mo Access to Course Videos and Content

6-mo Access to Investigation Ninja

A Certification of Course Completion

Continuing Education Credits (CPEs/CEUs)

Sign Up Now!

As humans, we rely on visualizing things to solve problems, even when we don’t realize it. In this video, I want to talk about how you can use timelines to visualize investigations. This is useful for tracking active investigations, retracing your steps and identifying gaps in your analysis, and relaying investigation output to management.

In this thirty minute video I illustrate the complexity of investigations and describe why visualizations are important. From there, I explain how timelines can fit this gap, and the types of events that are notable for tracking on a timeline. From there, I use VisJS to provide an example of how you can create simple timelines to track your investigations.

Building a security lab is something I get asked about really often. So often, in fact, that I decided to put some of my notes together and record a short training video on the topic. This video is only a small part of a much larger series I’m developing, so if you’re interested in learning more about that when it’s available, sign up for my mailing list.

In this one hour video I discuss the importance of an NSM lab and go through a systematic approach to building your own. I go through the following topics:

Analyzing your needs to define your inputs and desired outputs

Modeling your lab by building a list of technologies

The pros and cons of physical, virtual, and cloud based labs

Choosing the right platform for your lab

Designing your lab network

Sourcing the right hardware for your lab

Taking a step by step approach to designing and building the lab

Once you’re done with this video, you should have a system you can follow to build a lab that will help you test and build detection, analyze malware, and create simulations. I also provide a lot of insight to my own personal lab I use for my writing and my day job. I’ve also included some additional resources:

Lab planning worksheet

An exact parts list from my lab

Two example lab network diagrams

The network diagram for my personal lab

You can access the additional resources mentioned in the video by signing up here.

I’ll be using the list to occasionally collect feedback about research I’m doing and to send out preliminary research and content that won’t be appearing on the blog. If you’re interested in my work, this is a great way to contribute and benefit from it. I’ll also be sharing details about some new training content I have coming up and how you can get free or discounted access by signing up early and providing feedback. Lastly, I’ll provide information about new publications, discount codes, and the occasional free book giveaway.

Stay Updated!

I use my mailing list to send out exclusive content, training discounts, and it's the best way to stay up to date on new classes I conduct on topics like network security monitoring, packet analysis, technical writing, and more.

* indicates required

Email Address *

First Name

Last Name

Applied Network Security Monitoring

Applied Network Security Monitoring is the essential guide to becoming an NSM analyst from the ground up. This book takes a fundamental approach, complete with real-world examples that teach you the key concepts of NSM.

Practical Packet Analysis

It's easy to capture packets with Wireshark, the world's most popular network sniffer, whether off the wire or from the air. But how do you use those packets to understand what's happening on your network? This extensively revised second edition of the best-selling Practical Packet Analysis will teach you how to make sense of your PCAP data.

100% of the author royalties for sales of Practical Packet Analysis go to support the Rural Technology Fund

Rural Technology Fund

Established in 2008, the Rural Technology Fund (RTF) seeks to reduce the digital divide between rural communities and their more urban and suburban counterparts. This is done through targeted scholarship programs, community involvement, and the general promotion and advocacy of technology in rural areas.